eufy Eufy privacy controversy response

[Gaimz]

Yesterday I sent an email to Eufy support expressing how unhappy I was with this privacy issue. I think the response is mid and the security team should be a third party. The response is an obvious copy and paste PR template:

 

Quote

Dear (my name was here)

 

Dear eufy Client,

Thank you for contacting us! Thanks for all your trust along the way!

We understand all your concerns and worries.

In fact, eufy products, services, and processes are in full compliance with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications.

We have signed up a safety investigation team for this "Eufy leaking your 'private' images" posted by Mr. Paul Moore. We provide the facts and truth for all eufy users and make this statement here,

https://community.security.eufy.com/t/eufy-security-statement-to-our-community/3541186

Your trust is the reason why eufy grows fast in the past, and thrives in the future! If you have any concerns or questions, you are more than welcome to contact us at any time!

Link to the sites post: https://community.security.eufy.com/t/eufy-security-statement-to-our-community/3541186

[solado]

18 minutes ago, Gaimz said:

I think the response is mid and the security team should be a third party. The response is an obvious copy and paste PR template:

Chinese company breaching privacy. Imagine my shock.

 

Jokes aside, yeah it will be a very poor privacy policy as Chinese companies are basically state owned. Most devices like this if you sniff the traffic will often ping servers based in China with encrypted data.

Most of the time they ignore local laws and just play dumb when caught out with some PR spin on how they respect local laws and promise to change but they never do.

[Dedayog]

What?  They leaked your images?  Little more context please.

[Needfuldoer]

6 minutes ago, Dedayog said:

What?  They leaked your images?  Little more context please.

Not sure how far out of the loop you are, but Linus and Luke talked about it on WAN Show last week.

 

 

TL;DW: Eufy smart doorbells were uploading unencrypted photos to servers, even though Anker (the parent company) said they only recorded locally. It was also possible to remotely initiate an unencrypted live stream from these devices, which could be viewed with plain old VLC. LMG's dropping Anker as a sponsor because of this.

 

https://www.macrumors.com/2022/11/29/eufy-camera-cloud-uploads-no-user-consent/

 

[Dedayog]

Just now, Needfuldoer said:

Not sure how far out of the loop you are, but Linus and Luke talked about it on WAN Show last week.

 

 

TL;DW: Eufy smart doorbells were uploading unencrypted photos to servers, even though Anker (the parent company) said they only recorded locally. It was also possible to remotely initiate an unencrypted live stream from these devices, which could be viewed with plain old VLC. LMG's dropping Anker as a sponsor because if this.

 

https://www.macrumors.com/2022/11/29/eufy-camera-cloud-uploads-no-user-consent/

 

Way out of the loop.

 

I don't watch LAN.  If I had, I wouldn't have posted a thread here about if it was already covered.  Not sure why the OP posted this.

[WkdPaul]

5 minutes ago, Dedayog said:

Way out of the loop.

 

I don't watch LAN.  If I had, I wouldn't have posted a thread here about if it was already covered.  Not sure why the OP posted this.

The WAN show is missing a bit of context, Eufy has facial recognition software that runs on the camera themselves (some people online are falsely saying the uploads to the Eufy servers is for the facial recognition, this isn't true), BUT, they do this for the notifications since the camera themselves can't really do that without some support (unless you're self-hosting, I don't see how cameras and doorbells could send you SMS or email notifications by themselves).

 

With that said, the fact that the user can't delete those images, and that you're being fingerprinted and will be recognized by other Eufy devices is HIGHLY sketchy to say the least, and that's why I have a hard time believing they're GDPR compliant.

 

See Paul Moore's videos if you want the source of the findings ;

 

 

 

 

One of Paul Moore's Tweet about GDPR compliance ;

 

[fun_two]

So what's the next steps here? Anyway Eufy can fix this or the trust is completely gone?

If so, what are other options for ppl who want/need a security system?

[riawoias]

The fact deleting the account didn't delete the push notification cache is not surprising or a gdpr violation. They have 30 days to delete functionally required content. The cloudfront links automatically expire and it is basically impossible to guess the notification link unless you own the camera have its serial number and account info and event timestamp and do that within the day or so the link is valid. If you want fast and reliable rich push notifications you would actually need to send the pictures and face matches so they can be displayed on the user's device the moment they get network access. 

 

If they did a pure local relay solution it could be super slow or unreliable in poor network conditions. The user also has to enable face matches and turn on rich notifications. If you don't then the images are not sent. CDNs cache data short term deleting your account won't magically erase all traces right away.

 

You trade security for convenience. You could disable all notifications block it from the WAN network the VLC playback thing would be all that remains and is a feature and it's only exposed if you expose it directly to the internet as it's meant for LAN rstp streaming to a nas. If you mess that up you probably exposing your entire LAN as well.

 

They are selling more powerful more local Homebases but it's a cost vs. features thing they are purely local storage that is how they offer no subscription cost but notifications that work well have to transit the cloud and cdn caching is a reliability feature you'd want otherwise if you lose network for even a moment remotely you'd miss notifications and preview images and face matches you configured would not show up or would show up much later.

[YoMansHigh]

Did anyone catch this deal on Newegg's Daily Deals today? Lol

Newegg trying to offload these devices before they're outlawed in the US/EU.